Hello,
I'm trying to configure some port-forwarding on my router without any success...
Here is my situation:
A simple configuration: 1 Wan, 1 Lan to start with
On top of this, I have one VPN client and one VLAN (over the LAN port) for VPN users.
What I've succeeded to do:
- LAN users use the default gateway
- VPN Vlan users use the VPN gateway
What I cannot succeed to do:
I'm trying to forward some port from the VPN client to one of the VPN Vlan computers. But I'm not able to establish any connection through this port forwarding. 
When analyzing TCP dumps, I can see that incoming packets from the VPN client are well forwarded to the Vlan client, but outgoing packets from the Vlan client are going out from the Wan interface !
I can't figure out why this happens, the only rule for Vlan users is the "use-gateway" rule, and it's not respected...
Do you have any ideas of where I can look at ?
Thanks a lot,
Quentin
			
			
			
				Hello,
Still the same problem for me...
I think that it could be a problem with the "Reply-to" flag...
How can I view these flags using some tcpdumps ?
Thanks a lot !
Quentin
			
			
			
				Hi Quentin,
You can save the capture as a file and open it with Wireshark on your desktop. This will show each packet to a frightening level of detail ;-)
Bart...
			
			
			
				Also the reply-to flag can be seen in the rules at /tmp/rules.debug.
			
			
			
				Hello !
Thanks four your answers.
I've started to make some more tcpdumps to analyse the with Wireshark.
One strange thing that I can see in the rules file, here is the "pass" rule for my port forwarding:
pass in  quick on ovpnc1 reply-to ( ovpnc1 10.10.10.1 )  inet proto {tcp udp}  from {any} to {10.14.20.2}  port 12345 label "USER_RULE: NAT "
This is the only rule that doesn't have the "keep state" flag. Can't this be my problem ?
Thanks !
			
			
			
				So you have a NAT rule for port 12345 to that LAN IP? Is that port or IP involved in your VPN setup?
			
			
			
				Not at all.
My VPN provider gave me this port as the "forwarded port".
The hosts 10.14.20.2 is the server on my LAN (with the router as default gateway: 10.14.20.1) and 10.10.10.1  is the openvpn sent gateway.
For now, all I can say is that the port forwarding on the VPN side is working (I can see incoming TCP connections), and the route-to rule is working too (the host on the LAN have the VPN outside IP address on the Internet).
			
			
			
				When you say "my VPN provider," I'm confused about where the VPN servers are as compared to the VPN hosts. I'm also wondering if your VPN provider meant "12345" as a placeholder for other specific ports, since that's not a standard port for OpenVPN.
			
			
			
				Okay, sorry if I wasn't very clear in my messages :)
My VPN provider is PIA VPN, so the servers are on the Internet. Here, 12345 is an example port. They are providing me an API to get the forwarded port (that may change). Right now my forwarded port is 39856.
To explain what I'm calling the VPN hosts:
I'm using several VLANs, one DMZ for my servers, one LAN for my computers, and one for the "VPN" computers, that should go on the internet using the VPN connection.
All my VLANs are on the 10.14.0.0/16 subnet. 
The 10.14.20.0/24 is the VPN Vlan subnet, with the router on .1 and my "port-forwarded listener being on .2".
I hope that I've been clear enough :S 
Thanks,
Quentin
			
			
			
				You may be clearer than I am clever enough  ;) Okay, so you're trying to set up OPNsense as a VPN client and tunnel your "VPN" computers out through it via your VPN provider? Or is your VPN provider set up to allow you to set up a peer-to-peer OpenVPN connection? Or are you trying to run VPN clients locally on your internal systems, and have them NAT out to your VPN provider?
If as it seems you've got a single VPN client and you want to put other clients behind it, well I didn't know that was possible. If you have a OpenVPN or IPsec server as a peer to another of the same, you can certain do that. But for an OpenVPN client to function as the door to the VPN for multiple other systems behind it ... that's a clever thing to do if you can make it work. I haven't seen mention of doing it that way.
			
			
			
				Well, the basic fact (excluding this port-forwarding detail) is that I want to have a local subnet of clients accessing internet through one OpenVPN connection of my router. I don't want my clients to have to deal with OpenVPN. it must be transparent for them.
The great thing is that this is working very well !
I can instantly switch from "normal direct internet" to "vpn routed internet" just by switching of vlan !
Now, my VPN provider (PIA VPN, an online VPN provider), gives me one forwarded port. This port is redirected from the outside IP of their servers to my client, here my router.
I'm just trying to redirect that port to one of the machines on the Vlan configured for VPN routed internet...
			
			
			
				Hello,
I'm upping this post as I still have the issue, and I can't figure out how to solve it...
I'll try to explain what I'm trying to do:
Here is my network
                                                       +------------------+
                                    +----VLAN 1--------+Server on main lan|
                                    |                  +------------------+
                                    |
           +-------+     +----------+--------+
           |  WWW  +-----+  OPNsense router  |
           +--+----+     +----------+--------+
              |                     |
              |                     |                  +-----------------+
+-------------+--+                  +----VLAN 2--------+Server behind VPN|
|  VPN Provider  |                                     +-----------------+
+----------------+
My router is running an OpenVPN client to some VPN provider on the internet. I have locally two VLANs, one with direct access to the internet, and the other one (VLAN 2) that access the Internet via the VPN client. 
Now, what is working:
VLAN 1 server can access the internet without any issue. Port forwarding from the internet interface to VLAN 1 server works well too. 
VLAN 2 server can access the internet without any issue. All VLAN 2 traffic is sent on the VPN connection to the VPN provider, using a "specific gateway" rule. So the server on VLAN 2 have the VPN provider's outside IP. But, the VPN provider gives me one forwarded port (from it's outside IP address to the VPN client address). I want to forward this port to the server behind VPN.
I'm using output NAT on both the internet interface and the VPN client interface.
What is NOT working:
When doing a port forwarding check, I can't connect to the server behind VPN from the internet.
What are showing the tcpdumps:
- TCP connection comes to the VPN client interface.
- It is forwarded to the server behind VPN
- The server answers to the request
- The answer is routed to the VPN client interface. BUT at this moment, the output NAT is not applied. I mean that I can see the "local server IP > remote host" sent on the ovpnc1 interface.
- The answer never reaches the remote host.
Note:
When making an HTTP test from the server behind VPN, the output NAT is working, and the request succeeds. The problem only occurs when answering to a forwarded request.
I hope that someone here will have an idea to help me find the issue...
Thanks,
Quentin